Forum Discussion

southern_shredd's avatar
Feb 11, 2020

http2 profile Chrome - ERR_HTTP2_SERVER_REFUSED_STREAM

We are experiencing issues with some of our websites using Chrome website (version 80) where the HTTP2 profile is applied to the VIP

 

We get the following error - ERR_HTTP2_SERVER_REFUSED_STREAM

 

We are running version 12.1.4 and have tried a few settings on http2 profile but the problem still persists

 

Any ideas on how to resolve this or if anybody is also experiencing this?

 

  • Thanks. Is there a temporary solution that does not involve a software upgrade if you are in version 12.1.2? I must correct my original post as we are also on version 12.1.2

     

    By using a Perfomance layer 4 VIP and disabling http/2 the websites works on Chrome 80 but fails on other browsers now to the same VIP. The issue seems to be SSL and TLS related somehow

     

     

     

    • Simon_Blakely's avatar
      Simon_Blakely
      Icon for Employee rankEmployee

      Switching to a Perfomance layer 4 VIP just does packet passthrough to the pool members - any issues with TLS is due to the pool member webserver/TLS implementation.

      If you are on BigIP 12.1.2, you have probably hit a different HTTP2 issue - probably:

      Bug ID 677119: HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE

      There is no workaround - you will need to upgrade to resolve this issue.

      Here is the list of HTTP2 issues fixed in the latest 12.x series release since 12.1.2 (released Nov 2017):

       the latest version available is 12.1.5.1 which provides bugfixes for these HTTP/2 related issues:
       
      Known Issues in BIG-IP v12.1.x
      788773-5 	CVE-2019-9515 	K50233772 	HTTP/2 Vulnerability: CVE-2019-9515
      788769-5 	CVE-2019-9514 	K01988340 	HTTP/2 Vulnerability: CVE-2019-9514
      773673-5 	CVE-2019-9512 	K98053339 	HTTP/2 Vulnerability: CVE-2019-9512
       
      Cumulative fixes from BIG-IP v12.1.5 that are included in this release
      699598-4 	3-Major 		HTTP/2 requests with large body may result in RST_STREAM with FRAME_SIZE_ERROR
       
      Cumulative fixes from BIG-IP v12.1.4.1 that are included in this release
      745713-2 	CVE-2019-6619 	K94563344 	TMM may crash when processing HTTP/2 traffic
      744536 		3-Major 		HTTP/2 may garble large headers
      751586-1 	4-Minor 		http2 virtual does not honour translate-address disabled
       
      Cumulative fixes from BIG-IP v12.1.4 that are included in this release
      740490-2 	2-Critical 		Configuration changes involving HTTP2 or SPDY may leak memory
      680264 		3-Major 		HTTP2 headers frame decoding may fail when the frame delivered in multiple xfrags
       
      Cumulative fixes from BIG-IP v12.1.3.7 that are included in this release
      720293-1 	3-Major 		HTTP2 IPv4 to IPv6 fails
       
      Cumulative fixes from BIG-IP v12.1.3.6 that are included in this release
      703940-3 	CVE-2018-5530 	K45611803 	Malformed HTTP/2 frame consumes excessive system resources
      718071-3 	2-Critical 		HTTP2 with ASM policy not passing traffic
      702151-2 	3-Major 		HTTP/2 can garble large headers
      698916-3 	3-Major 		TMM crash with HTTP/2 under specific condition
      698379-3 	3-Major 	K61238215 	HTTP2 upload intermittently is aborted with HTTP2 error error_code=FLOW_CONTROL_ERROR(
      673052-2 	3-Major 		On i-Series platforms, HTTP/2 is limited to 10 streams
      659519-1 	3-Major 	K42400554 	Non-default header-table-size setting on HTTP2 profiles may cause issues
       
      Cumulative fixes from BIG-IP v12.1.3.4 that are included in this release
      705611-1 	2-Critical 		The TMM may crash when under load when configuration changes occur when the HTTP/2 profile is used
      700393-2 	2-Critical 	K53464344 	Under certain circumstances, a stale HTTP/2 stream can cause a tmm crash
      673951-4 	2-Critical 	K56466330 	Memory leak when using HTTP2 profile
      705794-1 	3-Major 		Under certain circumstances a stale HTTP/2 stream might cause a tmm crash
      689449-3 	3-Major 		Some flows may remain indefinitely in memory with spdy/http2 and http fallback-host configured
      677457 		3-Major 	K13036194 	HTTP/2 Gateway appends semicolon when a request has one or more cookies
      654086-3 	3-Major 		Incorrect handling of HTTP2 data frames larger than minimal frame size
       
      Cumulative fixes from BIG-IP v12.1.3.2 that are included in this release
      668501-2 	CVE-2017-6151 	K07369970 	HTTP2 does not handle some URIs correctly
      665924-1 	2-Critical 	K24847056 	The HTTP2 and SPDY filters may cause a TMM crash in complicated scenarios
      574526-1 	3-Major 	K55542554 	HTTP/2 and SPDY do not parse the path for the location/existence of the query parameter
       
      Cumulative fixes from BIG-IP v12.1.3.1 that are included in this release
      681710-4 	CVE-2017-6155 	K10930474 	Malformed HTTP/2 requests may cause TMM to crash
       
      Cumulative fixes from BIG-IP v12.1.3 that are included in this release
      677119 		3-Major 		HTTP2 implementation incorrectly treats SETTINGS_MAX_HEADER_LIST_SIZE
      652535-1 	3-Major 	K54443700 	HTTP/2 stream reset with PROTOCOL_ERROR when frame header is fragmented.